Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as ecpected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
A tool designed to assist you in evaluating the potential effectiveness of controls in a particular business process by matching control goals with relevant control plans. It establishes the criteria to be used in evaluating the controls in a particular business process.
SOX 404 requires that the effectiveness of control design be assessed. Auditors typically use a control matrix to perform an assessment of the effectiveness of the control design.
Steps in Preparing the Control Matrix:
Step1: Specify Control Goal:
Identify operations process control goals:
Effectiveness goals: describe measures of success for the operations process. These are developed during an enterprise's risk-management process (there may be more than one).
Efficiency goals: relate to ensuring that resources used in the business process are being employed in the most productive manner (usually people and computers).
Security goals: relate to protecting entity resources from loss, destruction, disclosure, copying, sale, or other misuse. These are meant to manage risks identified in the enterprise risk-management process (consider all affected data and tangible assets).
Identify information process goals:
Input goals (validity, completeness, and accuracy) with respect to all business process data entering the system.
Update goals (completeness and accuracy), only apply when there is a periodic process - a delay between input and update.
Step2: Recommend Control Plans:
Identify "Present Control Plans: Identify controls that seem to accomplish one or more of the control goals. Controls fall into two categories, the generic controls and controls that relate to a specific business process.
Evaluating "Present" Control Plans: Starting with P-1, look across the row and determine which control goals the plan addresses, and then place a P-1 in each cell of the matrix for which P-1 is applicable. It is possible that a given control plan can attend to more than one control goal. Continue this procedure for each of the present control plans. Describe how the control plan addresses each noted control goal.
Identifying and Evaluating "Missing Control Plans: Determine whether additional controls are needed to address missing control goal areas, strengthen present control plans, or both.
Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) that no present control plan is addressing.
Evaluating the systems flowchart: Just because all of the control goals on the matrix have one or more associated control plans, it may be necessary to add more control plans or strengthen existing plans to further reduce residual risk to an acceptable level in certain areas.
Document Design: Source document is designed to easily complete and enter data.
Written Approvals: Signature or initials indicating approval of event processing.
Preformatted Screens: Defines accetable format for each data field. Examples include a field having a drop-down list of choices for the user, automatically populating certain fields such as with the correct tax rate to use, or requiring certain fields to be populated before moving on so that the user cannot omit mandatory fields.
Online Prompting: Request user input for ask questions.
Populate Input Screens with Master Data:
User enters an entity's ID code and then the system retrieves data about that entity from the master data file.
User most likely prompted to enter Customer ID.
By accessing the master data file, the system automatically provides data unique for each customer.
Reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.
The system automatically populates input fields with existing data.
Compare Input Data with Master Data:
The system compares inputs with existing master data to ensure the data's accuracy and validity.
Input/master data dependency checks: Tests whether the contents of two or more data elements of fields have a correct logical relationship.
Input/master data validity and accuracy checks: Test whether master data supports the validity and accuracy of the input.
Procedures for Rejected Inputs: After processing the input, the user compares the input with the master data file to determine whether the input either is acceptable or contains errors, and that any errors are corrected.
Programmed Edit Checks:
Automatically performed by data entry programs upon entry of any data. Types are:
Reasonablemess checks (Limit checks): Tests inputs for values within predetermined limits.
Document/record hash totals: Compares computer total to manually calculated totals.
Mathematical accuracy checks: Compares calculations performed manually to computer calculated totals.
Check digit verification: A functionally dependent extra digit is added to a data entry, which allows the system to recognize data entry errors.
Confirm Input Acceptance: Interactive programmed features the inform the user that the data input has been accepted and recorded or rejected for processing.
Automated Data Entry: Stores accurate, valid input in digital media without the use of a user.
Enter Data Close to the Originating Source: Helps recognize mistakes in a timely and efficient manner, as well as allowing for no transcription or transportation of source documents.
Digital Signature: Validates the identity of the user.
Input Plans (Batch Input):
Turnaround Documents: used to capture and input a subsequent event. Picking tickets, inventory count sheets, and remittance advice stubs attached to customer invoices are all examples of turnaround documents.
Manually Reconcile Batch Totals: operates in the following manner:
One or more of the batch totals are established manually.
As individual event descriptions are entered (or scanned), the data entry program accumulates independent batch totals.
The computer produces reports (or displays) at the end of either the input process or update process, or both.
The person who reconciles the batch total must determine why the totals do not agree and make corrections as necessary to ensure the integrity of the input data.
Agree Run-to-run Totals (Reconcile input and output batch totals): This is a variation of the reconciliation/agreement of batch totals controls.
Review Tickler File (File of pending shipments): a tickler file is a manual file of documents, or a computer file, that contains business event data that is pending further action.
One for One Checking (Compare picking tickets and packing slips): detailed comparison of the individual elements of two or more data sources to determine that they agree.
Key Verification: Takes place when input documents are keyed by one individual and then re-keyed by a second individual.
Sequence Check: can apply when documents are numbered sequentially to determine that all documents have been processed (completeness) and no extra documents have been processed (validity).
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as ecpected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.The Control Matrix (definition):
A tool designed to assist you in evaluating the potential effectiveness of controls in a particular business process by matching control goals with relevant control plans. It establishes the criteria to be used in evaluating the controls in a particular business process.SOX 404 requires that the effectiveness of control design be assessed. Auditors typically use a control matrix to perform an assessment of the effectiveness of the control design.
Steps in Preparing the Control Matrix:
Step1: Specify Control Goal:- Identify operations process control goals:
- Effectiveness goals: describe measures of success for the operations process. These are developed during an enterprise's risk-management process (there may be more than one).
- Efficiency goals: relate to ensuring that resources used in the business process are being employed in the most productive manner (usually people and computers).
- Security goals: relate to protecting entity resources from loss, destruction, disclosure, copying, sale, or other misuse. These are meant to manage risks identified in the enterprise risk-management process (consider all affected data and tangible assets).
- Identify information process goals:
- Input goals (validity, completeness, and accuracy) with respect to all business process data entering the system.
- Update goals (completeness and accuracy), only apply when there is a periodic process - a delay between input and update.
Step2: Recommend Control Plans:Generic Control Plans:
Summary of Plans and their Goals- Input Plans (Manual Input):
- Document Design: Source document is designed to easily complete and enter data.
- Written Approvals: Signature or initials indicating approval of event processing.
- Preformatted Screens: Defines accetable format for each data field. Examples include a field having a drop-down list of choices for the user, automatically populating certain fields such as with the correct tax rate to use, or requiring certain fields to be populated before moving on so that the user cannot omit mandatory fields.
- Online Prompting: Request user input for ask questions.
- Populate Input Screens with Master Data:
- User enters an entity's ID code and then the system retrieves data about that entity from the master data file.
- User most likely prompted to enter Customer ID.
- By accessing the master data file, the system automatically provides data unique for each customer.
- Reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.
- The system automatically populates input fields with existing data.
- Compare Input Data with Master Data:
- The system compares inputs with existing master data to ensure the data's accuracy and validity.
- Input/master data dependency checks: Tests whether the contents of two or more data elements of fields have a correct logical relationship.
- Input/master data validity and accuracy checks: Test whether master data supports the validity and accuracy of the input.
- Procedures for Rejected Inputs: After processing the input, the user compares the input with the master data file to determine whether the input either is acceptable or contains errors, and that any errors are corrected.
- Programmed Edit Checks:
- Automatically performed by data entry programs upon entry of any data. Types are:
- Reasonablemess checks (Limit checks): Tests inputs for values within predetermined limits.
- Document/record hash totals: Compares computer total to manually calculated totals.
- Mathematical accuracy checks: Compares calculations performed manually to computer calculated totals.
- Check digit verification: A functionally dependent extra digit is added to a data entry, which allows the system to recognize data entry errors.
- Confirm Input Acceptance: Interactive programmed features the inform the user that the data input has been accepted and recorded or rejected for processing.
- Automated Data Entry: Stores accurate, valid input in digital media without the use of a user.
- Enter Data Close to the Originating Source: Helps recognize mistakes in a timely and efficient manner, as well as allowing for no transcription or transportation of source documents.
- Digital Signature: Validates the identity of the user.
Input Plans (Batch Input):Automated Control Solutions: